1# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
2#
3# Licensed under the Apache License 2.0 (the "License").  You may not use
4# this file except in compliance with the License.  You can obtain a copy
5# in the file LICENSE in the source distribution or at
6# https://www.openssl.org/source/license.html
7
8# This verifies that FIPS and legacy providers built against some earlier
9# released versions continue to run against the current branch.
10
11name: Provider compatibility across versions
12
13# NOTE: if this is being run on pull_request, it will **not** use the pull
14#       request's branch.  It is hardcoded to use the master branch.
15#
16on: #[pull_request]
17  schedule:
18    - cron: '0 15 * * *'
19
20permissions:
21  contents: read
22
23env:
24  opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
25
26jobs:
27  fips-releases:
28    strategy:
29      matrix:
30        release: [
31          # Formally released versions should be added here.
32          #     `dir' it the directory inside the tarball.
33          #     `tgz' is the name of the tarball.
34          #     `url' is the download URL.
35          {
36            dir: openssl-3.0.0,
37            tgz: openssl-3.0.0.tar.gz,
38            url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
39          },
40          {
41            dir: openssl-3.0.8,
42            tgz: openssl-3.0.8.tar.gz,
43            url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
44          },
45          {
46            dir: openssl-3.0.9,
47            tgz: openssl-3.0.9.tar.gz,
48            url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
49          },
50          {
51            dir: openssl-3.1.2,
52            tgz: openssl-3.1.2.tar.gz,
53            url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz",
54          },
55        ]
56
57    runs-on: ubuntu-latest
58    steps:
59      - name: create download directory
60        run: mkdir downloads
61      - name: download release source
62        run: wget --no-verbose ${{ matrix.release.url }}
63        working-directory: downloads
64      - name: unpack release source
65        run: tar xzf downloads/${{ matrix.release.tgz }}
66
67      - name: localegen
68        run: sudo locale-gen tr_TR.UTF-8
69
70      - name: config release
71        run: |
72          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
73        working-directory: ${{ matrix.release.dir }}
74      - name: config dump release
75        run: ./configdata.pm --dump
76        working-directory: ${{ matrix.release.dir }}
77
78      - name: make release
79        run: make -s -j4
80        working-directory: ${{ matrix.release.dir }}
81
82      - name: create release artifacts
83        run: |
84          tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
85
86      - name: show module versions from release
87        run: |
88          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
89                                                 -provider base             \
90                                                 -provider default          \
91                                                 -provider fips             \
92                                                 -provider legacy           \
93                                                 -providers
94        working-directory: ${{ matrix.release.dir }}
95
96      - uses: actions/upload-artifact@v4
97        with:
98          name: ${{ matrix.release.tgz }}
99          path: ${{ matrix.release.tgz }}
100          retention-days: 7
101
102  development-branches:
103    strategy:
104      matrix:
105        branch: [
106          # Currently supported FIPS capable branches should be added here.
107          #     `name' is the branch name used to checkout out.
108          #     `dir' directory that will be used to build and test in.
109          #     `tgz' is the name of the tarball use to keep the artifacts of
110          #         the build.
111          {
112            name: openssl-3.0,
113            dir: branch-3.0,
114            tgz: branch-3.0.tar.gz,
115          }, {
116            name: openssl-3.1,
117            dir: branch-3.1,
118            tgz: branch-3.1.tar.gz,
119          }, {
120            name: openssl-3.2,
121            dir: branch-3.2,
122            tgz: branch-3.2.tar.gz,
123          }, {
124            name: openssl-3.3,
125            dir: branch-3.3,
126            tgz: branch-3.3.tar.gz,
127          }, {
128            name: openssl-3.4,
129            dir: branch-3.4,
130            tgz: branch-3.4.tar.gz,
131          }, {
132            name: master,
133            dir: branch-master,
134            tgz: branch-master.tar.gz,
135          },
136        ]
137
138    runs-on: ubuntu-latest
139    steps:
140      - uses: actions/checkout@v4
141        with:
142          path: ${{ matrix.branch.dir }}
143          repository: openssl/openssl
144          ref: ${{ matrix.branch.name }}
145      - name: localegen
146        run: sudo locale-gen tr_TR.UTF-8
147
148      - name: config branch
149        run: |
150          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
151        working-directory: ${{ matrix.branch.dir }}
152      - name: config dump current
153        run: ./configdata.pm --dump
154        working-directory: ${{ matrix.branch.dir }}
155
156      - name: make branch
157        run: make -s -j4
158        working-directory: ${{ matrix.branch.dir }}
159
160      - name: create branch artifacts
161        run: |
162          tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
163
164      - name: show module versions from branch
165        run: |
166          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
167                                                 -provider base             \
168                                                 -provider default          \
169                                                 -provider fips             \
170                                                 -provider legacy           \
171                                                 -providers
172        working-directory: ${{ matrix.branch.dir }}
173
174      - name: get cpu info
175        run: |
176          cat /proc/cpuinfo
177          ./util/opensslwrap.sh version -c
178        working-directory: ${{ matrix.branch.dir }}
179
180      - name: make test
181        run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
182        working-directory: ${{ matrix.branch.dir }}
183
184      - uses: actions/upload-artifact@v4
185        with:
186          name: ${{ matrix.branch.tgz }}
187          path: ${{ matrix.branch.tgz }}
188          retention-days: 7
189
190  cross-testing:
191    needs: [fips-releases, development-branches]
192    runs-on: ubuntu-latest
193    strategy:
194      fail-fast: false
195      matrix:
196        # These can't be figured out earlier and included here as a variable
197        # substitution.
198        #
199        # Note that releases are not used as a test environment for
200        # later providers.  Problems in these situations ought to be
201        # caught by cross branch testing before the release.
202        tree_a: [ branch-master, branch-3.4, branch-3.3,
203                  branch-3.2, branch-3.1, branch-3.0,
204                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
205        tree_b: [ branch-master, branch-3.4, branch-3.3,
206                  branch-3.2, branch-3.1, branch-3.0  ]
207    steps:
208      - name: early exit checks
209        id: early_exit
210        run: |
211          if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ];           \
212          then                                                              \
213            echo "Skipping because both are the same version";              \
214            exit 1;                                                         \
215          fi
216        continue-on-error: true
217
218      - uses: actions/download-artifact@v4.1.8
219        if: steps.early_exit.outcome == 'success'
220        with:
221          name: ${{ matrix.tree_a }}.tar.gz
222      - name: unpack first build
223        if: steps.early_exit.outcome == 'success'
224        run: tar xzf "${{ matrix.tree_a }}.tar.gz"
225
226      - uses: actions/download-artifact@v4.1.8
227        if: steps.early_exit.outcome == 'success'
228        with:
229          name: ${{ matrix.tree_b }}.tar.gz
230      - name: unpack second build
231        if: steps.early_exit.outcome == 'success'
232        run: tar xzf "${{ matrix.tree_b }}.tar.gz"
233
234      - name: set up cross validation of FIPS from A with tree from B
235        if: steps.early_exit.outcome == 'success'
236        run: |
237          cp providers/fips.so ../${{ matrix.tree_b }}/providers/
238          cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
239        working-directory: ${{ matrix.tree_a }}
240
241      - name: show module versions from cross validation
242        if: steps.early_exit.outcome == 'success'
243        run: |
244          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
245                                                 -provider base             \
246                                                 -provider default          \
247                                                 -provider fips             \
248                                                 -provider legacy           \
249                                                 -providers
250        working-directory: ${{ matrix.tree_b }}
251
252      - name: get cpu info
253        if: steps.early_exit.outcome == 'success'
254        run: |
255          cat /proc/cpuinfo
256          ./util/opensslwrap.sh version -c
257        working-directory: ${{ matrix.tree_b }}
258
259      - name: run cross validation tests of FIPS from A with tree from B
260        if: steps.early_exit.outcome == 'success'
261        run: |
262          make test HARNESS_JOBS=${HARNESS_JOBS:-4}
263        working-directory: ${{ matrix.tree_b }}
264